IIS 7.5 and above - enable schannel cipher DHE_RSA_AES_128_GCM following patch KB2992611 - Is this safe?

security windows tls iis schannel

I recently became aware that following the release of patch KB2992611 in November, Microsoft made available four new cipher suites for schannel (and thus IIS);

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256

I'm also aware that problems were reported with this patch and the above four ciphers, resulting in the patch being temporarily pulled and the above cipher suites left disabled by default.

My question is two-fold;

  1. Has this now been corrected, and are the above cipher suites safe to use on a web server running IIS 7.5 and above?

  2. Which would be considered 'best' out of the the following two options;

    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

In other words, are the ecliptic curve elements of the second option (ECDHE_RSA) outweighed by the superior version of AES that the first offers (AES_GCM)?

And finally, does the advice here vary at all between 2008 R2, 2012 and 2012 R2?


Having read around this some more I have come to the following conclusions;

  • The DH parameters Microsoft used in TLS_DHE_RSA_WITH_AES_128_GCM / TLS_DHE_RSA_WITH_AES_256_GCM are, for compatibility reasons, only 1024 bits in length and are thus considered 'weak'.

  • The new cipher suites continue to not be present in the default cipher suite priority due to reported incompatibility issues (notably with MS SQL server).

  • AES CBC is considered secure on a fully patched IIS server

  • Windows 10 (and presumably the corresponding next version of Windows server) will have ECDHE_RSA with AES_GCM

On that basis I will continue to prefer TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 over the newer TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 on current servers and look to upgrade in the future when Windows 10 / Server 'Next' becomes available.

References

https://community.qualys.com/thread/14821 https://www.nartac.com/Products/IISCrypto/FAQ.aspx https://community.qualys.com/thread/13294 https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Key_exchange_algorithms_.28certificate-only.29

Related

How can I monitor HP P410 hardware RAID degraded in Freenas
openVPN - Split-tunneling DNS priority
Apache not booting, no error messages
I lost screen recording in macOS [duplicate]
How to create an offline hotspot to transfer data between iPhone and another device?
How do I know what Xcode versions are supported in Homebrew for my specific macOS version?
How do I restrict internet access to specific hours in iOS 14?
How to add arbitrary images to the "Photos" app on iPad?
Mac Software that Detects Windows Malware
Is there a way to reset the login password on big sur using the terminal?
Concerns about the display of a 2015 MBP being up for a while
MacBook Pro M1 Video Output using DVI Adaptor